Configuring Windows Clients with OpenVPN

by Mike on December 4, 2008

in VPN

To install OpenVPN on a Windows client, you’ll need to download the program installation file from:

When the download completes, just double-click on the file icon to begin installation.  (Accept all defaults.)

When installation completes, you should see a network connection icon with a red “x” over it in the system tray.  Don’t let that bother you.  It’ll go away when you make a connection to the server.

Transfer the appropriate key set files from the server to the “C:\Program Files\OpenVPN\bin” directory.  For example, if the Windows client is “client5”, then it will need the following files from the server:


Note that each client will use the same “ca.crt” file.  Also, be sure not to transfer the “ca.key” file to any of the clients, or else server security will be compromised.

If you don’t have local access to the client machines, you can have the users use a Windows-type SFTP program to download the files from the server.  (For example, they can use Putty, Cygwin, or Filezilla, all of which are free downloads.)

Next, cd to the “C:\Program Files\OpenVPN\sample-config” directory, and copy the “client.ovpn” file to the “C:\Program Files\OpenVPN\bin” directory.  Open the copy in the “bin” directory for editing.  Scroll down until you find the line:

remote my-server-1 1194

Change the “my-server-1” part to the actual IP address of your OpenVPN server.  For example, if the IP address of your server’s eth0 interface is, then the line will become:

remote 1194

Of course, you may have reason to use another port besides the default port 1194, and to use TCP instead of the default UDP.  On the next page, you’ll see that we’ve chosen to resolve a problem with getting through a corporate firewall by using TCP on port 80.

Note:  If you have a choice, you’ll most always want to go with the default UDP.  TCP involves more overhead, and may slightly affect your VPN’s performance.

Next, scroll down until you find the lines:

ca ca.crt
cert client.crt
key client.key

Change these lines to match the client-key files that you transferred from the server.  For client 5, these would become:

ca ca.crt
cert client5.crt
key client5.key

Uncomment the line,

;ns-cert-type server

by removing the preceding semi-colon.

Uncomment the

;cipher x

line, and change the “x” to match the cryptographic method that you set up in the server configuration.  For example, if you chose the “Blowfish” method in the server configuration, then change this line to:

cipher BF-CBC

Save the file and exit the text editor.  To test, start up OpenVPN on the server, and then start OpenVPN on the client.

The command to start the client is:

cd C:\”Program Files”\OpenVPN\bin
openvpn client.ovpn

On the client, open a second command-line window, and ping the private address of the OpenVPN server.  In our example, the command would be “ping”.  If the ping is successful, you’ve achieved coolness.  If it isn’t, you may have to reconfigure the client’s firewall to allow proper connectivity.

For ease-of-use, open Notepad and create a batch file with the preceding two commands.  Save it on the desktop as “OpenVPN.bat”.  You’ll then be able to invoke OpenVPN by double-clicking on the icon.

In Summary

Once you’ve connected a client to the OpenVPN server, you’ll be able to securely access the server with your normal applications by using the server’s private IP address.  So, in our example, whether we’re accessing the server via Telnet, FTP, http, or perhaps even Teamspeak, we would use “” as the server address.  Yeah, it seems strange to use a private IP address to access something from across the Internet, but with Virtual Private Networks, that’s just the way it works.

Previous post:

Next post: